If you’re a Vodafone Iceland customer it’s a good idea to change your password. And if you’ve sent any confidential information via SMS (such as credit card details, passwords, etc) you should look into that as well.

This is a good time to remind everyone that SMS messages are not very private. Most phone companies keep all SMSs, usually for law enforcement reasons.

This scam has appeared on Twitter recently. There are a few minor variations but they all seem to work the same. It starts with a Twitter message saying,

I will follow back if you follow me

There’s a link at the end of the message that goes to a web page. On this page are two signup options, one free and a paid one called VIP.

The free one asks for your Twitter username and password. It then asks prompts Twitter to grant you access to your account. You should not enter these details into any untrusted service.

Once they have your account password they send spam using your Twitter account, sending them to this same web site.

The VIP service is just as bad. It asks for your credit card details and Twitter account details, promising hundreds of Twitter followers. People who fall for this also end up sending spam from their own account, with the added risk of losing money.

McAfee, a large anti-virus company, has published a report called “Inside the Password Stealing Business: the Who and How of Identity Theft”. It goes into the details of password stealing programs and explains the “industry” driving it.

It’s quite detailed and at 17 pages it won’t take too long to read – it’s not very technical.

Password stealing is when a program gets installed on your PC that catches every stroke of your keyboard and sends it back to a criminal. The idea is that it’ll record all your passwords as you type them, no matter how strong they are. It’s a sophisticated piece of technology and a very large problem worldwide. If you’re not constantly upgrading your anti-virus software, web browser and OS then you’re at high risk.

These passwords are then sold off and used to steal money from your bank account or to commit other crimes. Even if you don’t use online banking you still have something to lose – someone can apply for a credit card under your name and use it to make expensive purchases, then you’re left to deal with the credit card company and convince them it wasn’t you (this happens every day).

Accounts are often hacked, including Facebook accounts. Too many times people fall for scam emails telling them to (urgently) click on a link and type in their password. Too many times people don’t know how to tell the difference between the real Facebook login page and one made by a scammer (read here for some hints).

And when an account does become compromised and hacked, the scammers usually use it to send out spam. Then it can be difficult for people like you to get that account back.

Facebook has given this problem some thought and added a way to recover a compromised account. They will send you an email and ask you to verify your account. Then on their web site they’ll ask you some security questions and ask you to change your password.

Today I received from someone claiming to be from Vodafone (a local phone company), offering me a new phone and new plan. Fair enough, I’m a Vodafone customer and my contract’s close to renewal.

But things turned ugly when the person on the phone asked for my account password, so that he could verify he’s talking to the right person. I refused.

I explained that I received an unsolicited call, I don’t know who I’m really speaking to, and that I’m not prepared to give a random stranger my account password.

He’s probably heard this several times so he said he understands, and I could give a few other personal details instead. I refused again. Confused, he put me onto his team leader, or at least someone claiming to be his team leader – I have no way of knowing who I’m speaking to. If I had been the one to initiate the call then I know I’m speaking to the right company. If I receive a call then I don’t know. There’s a fundamental difference here.

The team leader tried to explain they need to confirm who they’re speaking to. She claimed to understand my position, but wouldn’t change her argument. I continued refusing to give my password to a random stranger just so I can hear about new phones.

So we agreed to end the conversation. I wrote Vodafone a complaint using their website, explaining the situation. I’m not sure if the complaint went through because their web page took me to an answer’s and questions page after I’d typed everything out.

It’s not completely the cold-calling people’s fault, they’re doing what they’re paid to do. It’s Vodafone’s problem that they came up with this procedure. They’re giving their customers an expectation that it’s normal for strangers to call them and ask for their passwords.

And if you haven’t worked out the problem yet, look at it this way. I now know that Vodafone customers must be used to receiving unsolicited calls and giving out their passwords. So if I call 20 random people in Australia, chances are at least one will be a Vodafone customer. I just have to say I can offer them a new phone plan if they can give me their password. Then I can call up Vodafone, confirm my identity using that password, change my mailing address, and order a new phone and ask for it to be sent to my residence. I wouldn’t actually do it this way but you get the idea. It’s called identity theft.

I’ve written about the same problem before in 2007, it seems nothing’s changed in the past 2 years.

Yesterday a web site published a hack for Facebook that lets anyone read anyone’s profile. It was possible to read details such as location, gender, relationship status, political views, religious views, etc. It didn’t matter what privacy settings people had set, this hack made it all visible.

Today Facebook have acknowledged the problem and fixed it.

This is a good reminder that when you publish information online, you lose some control over it. If something is so private that you can’t risk others seeing it then don’t publish it.

The email below suggests you can receive $20k from the US government. They ask you to send an email with your personal details. These type of scams then ask you for more details.

Your details are then used for fraudulent activities, under your name (this is called identity theft). It’s also common for the scammer to start asking you for money – there’s usually an excuse that they need to pay lawyers or some other convoluted story.

Below is the scam email, if you see this just delete it:

Hello

Secure $20k in Govt Grants and you never need to pay it back.

All American residents can apply for Govt Grants.

Allotment of grants doesnt depend on your credit history.

The strength of our firm is grants writing.We’re doing business since 1999 and we have helped around 20,000 people obtain grants.

Our company is taking fees of 10% only after our clients receive funds from Govt.There’s no risk for you at all.You’re paying our fees only when you’ve received grant money in your bank account.

Send us details including first name, last name, address, profession, date of birth, annual income, reason for govt grant.

Twitter is the biggest internet craze since Facebook, there are currently an estimated 6 million people using it.

A few days ago Twitter users were asked to take part in a “game” called #twitterpornnames. How does it work? You’re supposed to announce a made-up name along with the hash tag and share it. The formula provided to create your name just happens to match some very common security questions to help people reset their passwords. Pet’s name. First teacher. Street you grew up on.

So when people started participating they were in fact sharing the same information used by web sites to reset passwords. It’s called social engineering. It tricked people into revealing sensitive information. And the nature of Twitter is that people share information and click on links without much thought (is this a Gen-Y thing?)

If you use Twitter and see these sort of “games” going around, don’t share private sensitive data so easily. This same data can be used to hack into your accounts.